0
I am a novice to the terminal of linux live OS's (eg Kali Linux).
Please advise what
1) in built programs (e.g. Syslog...),
2) Commands in the Terminal (eg ls, ps, md5sum, ...)
one can use for checking changes to the Live OS (since booting from disc)? I.E. integrity checks. I am interested in going down to kernel level in scope.
unseen_rider
Posted 2015-05-20T20:15:26.990
Reputation: 121
0
LiveCDs generally work in one of two ways:
They mount the root filesystem from the CD, then add tmpfs-based filesystems for places (such as /var or /home) that are intended to be modified. In this case, it's simple: the core files haven't changed, since they're not on a writable filesystem.
They mount the root filesystem from the CD, then add an overlay filesystem that redirects all modifications to RAM. In this case, the best way to check for changes is to look at the documentation for the overlay filesystem in use, and see how to inspect it for changes.
Note that in either case, an attacker can hide the changes from you by tampering with the tools you intend to use. You cannot examine a system for integrity from within the system. You must inspect it from outside.
Mark
Posted 2015-05-20T20:15:26.990
Reputation: 1 304
Ok, so how would one check the integrity of a live system from outside? – unseen_rider – 2015-09-21T14:04:50.847
Depends on how you're looking at it from outside (virtual machine vs. memory dump vs....), and it's a non-trivial exercise. – Mark – 2015-09-21T18:04:54.017
what search terms should I use to look into this further? – unseen_rider – 2015-09-22T18:45:17.293
-1
You should use journalctl. It tells you stuff that happened in systemd since ever. Don't know if it's on Kali and LiveCDs
brainsandwich
Posted 2015-05-20T20:15:26.990
Reputation: 109
Exactly what are you looking to detect? Changes to files that are on the live CD/USB? Have you tried
findwith one of the time options? I think-mtimeand-ctimehave what you need. – Neil Smithline – 2015-05-20T20:53:51.2671although you are using Kali, this is better suited over at a linux/server forum. – schroeder – 2015-05-20T21:36:16.717
Take a look at tripwire – wireghoul – 2015-05-21T01:14:15.283